module
Control Web Panel /admin/index.php Unauthenticated RCE
| Disclosed | Created |
|---|---|
| Dec 16, 2025 | Jan 14, 2026 |
Disclosed
Dec 16, 2025
Created
Jan 14, 2026
Description
Control Web Panel (CWP) versions unauthenticated OS command injection. User input passed via the
"key" GET parameter to /admin/index.php (when the "api" parameter is set)
is not properly sanitized before being used to execute OS commands.
This can be exploited by unauthenticated attackers to inject and execute
arbitrary OS commands with the privileges of the root user on the web server.
Successful exploitation usually requires "Softaculous" and/or "SitePad"
to be installed through the Scripts Manager.
"key" GET parameter to /admin/index.php (when the "api" parameter is set)
is not properly sanitized before being used to execute OS commands.
This can be exploited by unauthenticated attackers to inject and execute
arbitrary OS commands with the privileges of the root user on the web server.
Successful exploitation usually requires "Softaculous" and/or "SitePad"
to be installed through the Scripts Manager.
Authors
Lukas Johannes Möller
Egidio Romano
Egidio Romano
Platform
Linux,Unix
Architectures
x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.